> 2023-12-29 Espressif replied that impact of the first bug is just disconnection of the attached device, since it does not impact normal use nor leak user data it cannot be considered a vulnerability. The second bug (OOB write) is not present in Host or Controller code, it only affects example code and customers typically develop autonomously based on the API, so the impact is minimal.

A disappointing response from Espressif considering we are all probably running something with an Espressif SoC and I suspect the majority of customers use the example code verbatim.